b"INVESTIGATIVE MEMORANDUM ON\nMANAGEMENT ISSUES (G-4421433)\n\n                                                                                November 13,2006\n\nTo:          - T. Ruiz\n          Diego                                                  A\n\n\n\n\nProm: Walter Stachnik\n\nRe:       Name Relationship Search Index (NRSI) Training and Warning\n\nDuring two investigations recently conducted by our office (OIG-442 and 433), we found\nevidence that an employee had used the Name Relationship Search Index (NRSI)' for\npersonal purposes and another employee had shared his NRSI user password with other\nemployees. These two employees, who work in different offices, told us they received\nlittle or no training on NRSI (NRSI) when they were given access to that database. One\nof these employees also indicated that the NRSI training he did receive, which occurred\nover a year after he joined the Commission, focused on how to perform NRSI searches,\nnot on permissible uses of the database. The other employee said he was unaware that\nNRSI passwords could not be shared with other employees.\n\nThe warning on the NRSI login screen does not inform employees that the database is to\nbe used only for official purposes, The warning does instruct employees not to share\ntheir user ids or passwords with anyone and not to distribute NRSI information to any\nunauthorized individuals.\n\nTo prevent improper use of NRSI, training on the system should be improved and\nprovided to employees before they are given NRSI access. Also, the warning on the\nlogin screen should state that NRSI is only for official use.\n\n\n          Recommendation A\n\n          The Office of the Executive Director (OED); in consultation with the Division of\n          Enforcement (Enforcement), the Office of Information Technology (OIT) and\n          other user divisions and offices, should require that all agency employees receive\n          training on NRSI before being granted access to the database. This training\n\n',me NRSI application provides a cross-reference of data by name that is contained in multiple internal and\nexternal automated SEC systems. It enables agency staff to cross-reference information available in these\nsystems by entering a partial or full name of an individual or company. All of the information in NRSI is\nnot for public release.\n\n    According to the NRSI User Guide (Version 1.0, Oct. 10.2003), the OED is the NRSI system owner.\n\x0c      should include a discussion of the non-public nature of the database, the\n      permissible uses of the database, and the prohibition on sharing NRSI user\n      passwords.\n\n      Recommendation B\n\n      The OED, in consultation with Enforcement, OIT, the Office of General Counsel,\n      and other user divisions and offices, should add a statement to the warning on the\n      NRSI login screen that NRSI is to be used only for official purposes.\n\n      Management Response\n\n      The OED agrees with Recommendations A and B. While the OED indicated that\n      resources are too limited to provide in-person training to every new NRSI user,\n      the OED believes that updating and distributing a training CD to new users would\n      be an appropriate remedy. The OED will work with Enforcement and OIT to\n      refme and implement the strategy for training new users, including a clear\n      discussion of permissible and non-permissible uses of the database. The OED\n      will also work with OIT to revise the current NRSI warning statement to clarify\n      that the system is for official use only.\n\n\ncc:   Corey Booth\n      Joseph Gerrity\n      Kenneth Johnson\n      Debra Kittredge\n      Randall Lee\n      Shelley Parratt\n      Linda Thomsen\n      Darlene Pryor\n      Peter Uhlrnann\n\x0c"